heroku:spring只能通过https访问端点 [英] heroku : spring boot acces to endpoints with https only

查看:135
本文介绍了heroku:spring只能通过https访问端点的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在Heroku上部署了Spring Boot Java应用程序。我想确保我的注册终端只能通过https访问。到目前为止,我已经知道,heroku使用负载平衡器,它将每个https连接重定向到带有特殊标头(X-forward-porto)的http。
Iam使用 

  compile(org.springframework.boot:spring-boot-starter-security)

用于加密工具(散列密码)。我已经将security.basic.enable属性设置为false(实际上不知道它是否在这种情况下很重要)。



尝试设置这些设置: 

  tomcat:
 remote_ip_header:x-forwarded-for 
 protocol_header:x -forwarded-proto

在我的application.yml中



是,我如何才能实际强制端点只能通过https链接使用?对于http,它可能会返回404或其他东西。我使用gradle,它很难找到任何使用它的参考。尝试了谷歌发现的一些事情,但它没有奏效(或者我不知道如何正确实施它们......)。我仍然可以通过邮递员通过http访问我的端点。
现在看起来像这样: 

  @Controller 
 @RequestMapping(/ users)
 public class AccountController {
 @Autowired 
 private AccountRepository accountDao; 
 $ b @RequestMapping(value =/ register,method = RequestMethod.POST,consumes =application / json)
 public ResponseEntity< Resource< Account>> createAccount(@RequestBody @Valid Account account){...}


解决方案

其实我已经找到了一个解决方案(最后)在这个repo https://github.com / fenrirx22 / springmvc-https-enforcer



创建2个类: 

  @Configuration 
 public class ApiConfig {
 @Bean 
 public Filter httpsEnforcerFilter(){
 return new HttpsEnforcer(); 
 
 
 $ / code $ / pre 
 $ b $ p  
 
 
  public class HttpsEnforcer实现Filter {
 
 private FilterConfig filterConfig; 
 
 public static final String X_FORWARDED_PROTO =x-forwarded-proto; 
 
 @Override 
 public void init(FilterConfig filterConfig)throws ServletException {
 this.filterConfig = filterConfig; 
 
 $ b @Override 
 public void doFilter(ServletRequest servletRequest,ServletResponse servletResponse,FilterChain filterChain)throws IOException,ServletException {
 
 HttpServletRequest request =(HttpServletRequest )servletRequest; 
 HttpServletResponse响应=(HttpServletResponse)servletResponse; 
 
 if(request.getHeader(X_FORWARDED_PROTO)!= null){
 if(request.getHeader(X_FORWARDED_PROTO).indexOf(https)!= 0){
 response .sendRedirect(https://+ request.getServerName()+ request.getPathInfo()); 
 return; 
} 
} 
 
 filterChain.doFilter(request,response); 
} 
 
 @Override 
 public void destroy(){
 // nothing 
} 
} 
  
像一个魅力。  
I have a Spring Boot java app deployed on heroku. I want to be sure that my registration endpoint can be only accessed by https. So far I've known, heroku uses load balancer which redirect every https connection to http with a special header (X-forwarded-porto).
Iam using
compile("org.springframework.boot:spring-boot-starter-security")

for encryption tools (hashing password). I've set the "security.basic.enable" properties to false (actually don't know if it matters in that case.).



Tried already setting these settings :
tomcat:
  remote_ip_header: x-forwarded-for
  protocol_header: x-forwarded-proto

in my application.yml



The question is, how i can actually enforce endpoint to be used only via https link? For http it could return 404 or something. I am using gradle and its kinda hard to find any refference using it. Tried a couple of things found in google but it didn't work ( or I don't know how to implement them correctly...). I've still could access my endpoint via http with postman.
Right now it looks like this:
@Controller
@RequestMapping("/users")
public class AccountController {
    @Autowired
    private AccountRepository accountDao;

    @RequestMapping(value = "/register", method = RequestMethod.POST, consumes = "application/json")
    public ResponseEntity<Resource<Account>> createAccount(@RequestBody @Valid Account account) { ... }



 解决方案 
Actually I've found a solution ( finally ) in this repo https://github.com/fenrirx22/springmvc-https-enforcer.



Created 2 classes:
@Configuration
public class ApiConfig {
    @Bean
    public Filter httpsEnforcerFilter(){
        return new HttpsEnforcer();
    }
}

and:
public class HttpsEnforcer implements Filter {

    private FilterConfig filterConfig;

    public static final String X_FORWARDED_PROTO = "x-forwarded-proto";

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
        this.filterConfig = filterConfig;
    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {

        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;

        if (request.getHeader(X_FORWARDED_PROTO) != null) {
            if (request.getHeader(X_FORWARDED_PROTO).indexOf("https") != 0) {
                response.sendRedirect("https://" + request.getServerName() + request.getPathInfo());
                return;
            }
        }

        filterChain.doFilter(request, response);
    }

    @Override
    public void destroy() {
        // nothing
    }
}

Works like a charm. 


                        
这篇关于heroku:spring只能通过https访问端点的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
相关文章
Java开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆